[rhelv6-list] Openldap Problem
Derek Yarnell
derek at umiacs.umd.edu
Fri Jul 27 00:26:41 UTC 2012
Hi Chris,
You seem to not be setting any TLS settings in your slapd. Are you also
starting it with "-h ldaps:///"? Also if so can you do a ldapsearch
with the -ZZ option which will ensure TLS starts?
eg. in slapd.conf
# ssl
TLSCipherSuite HIGH
TLSCertificateFile /etc/openldap/certs/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/certs/slapd-key.pem
TLSVerifyClient never
TLSCACertificateFile /etc/openldap/certs/ca-cert.pem
Thanks,
derek
On 7/26/12 5:18 AM, Chris wrote:
> Hi.
>
> I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the
> kernel is 2.6.32-279.2.1.el6.x86_64.
> The problem I'm having is I get this error message in messages file.
>
> "sssd[be[default]]: Could not start TLS encryption. TLS error
> -5938:Encountered end of file"
> Errors I saw in sssd_default.log
>
> When I add new users I cannot log in with the new names, a ldapseach
> shows them but getent passwd nothing.
> Not all the users show up on my other machines, only some.
>
> Any help will be appreciated.
>
>
> My slapd.conf file looks like this.
>
> /include /etc/openldap/schema/corba.schema
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/duaconf.schema
> include /etc/openldap/schema/dyngroup.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/java.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/openldap.schema
> include /etc/openldap/schema/ppolicy.schema
> include /etc/openldap/schema/collective.schema
>
> allow bind_v2
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> database bdb
> suffix "dc=flamengro,dc=com"
> checkpoint 1024 15
> rootdn "cn=Manager,dc=flamengro,dc=com"
>
> rootpw secret
>
> directory /var/lib/ldap/flamengro
>
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
> database monitoraccess to *
> by dn.exact="cn=Manager,dc=flamengro,dc=com" read
> by * none
> access to attrs=userPassword,shadowLastChange
> by anonymous auth
> by self write
> by * none/
>
> My sssd.conf file looks like this
> /
> [sssd]
> config_file_version = 2
>
> reconnection_retries = 3
>
> sbus_timeout = 30
> services = nss, pam
>
> domains = default
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/default]
> auth_provider = ldap
> cache_credentials = True
> ldap_id_use_start_tls = True
> debug_level = 9
> ldap_search_base = dc=flamengro,dc=com
> # krb5_realm = EXAMPLE.COM
> chpass_provider = ldap
> id_provider = ldap
> ldap_uri = ldap://ibm-01.flamengro.co.za
> # krb5_kdcip = kerberos.example.com
> ldap_tls_cacertdir = /etc/openldap/cacerts
> enumerate = True
> ldap_sasl_canonicalize = true
> # krb5_server = kerberos.example.com
>
>
>
> /
>
>
>
>
>
>
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
--
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies
More information about the rhelv6-list
mailing list